General

  • Target

    KPSFEGLI.EXE

  • Size

    820KB

  • Sample

    220503-vplxvacgbk

  • MD5

    1573b52c2d0b3d410e73a3a1495565d0

  • SHA1

    c7f09d25eeda29012127e0511a361b73254d4170

  • SHA256

    f7548d3107c311afddf7827c19a4154bf0e9359cc294e9169042ccd3cc290227

  • SHA512

    fe8c7405d545e1dbadcdcd9fbec9f2496a654bfd4ee761f2a704265bbd0d65c88588930adac5e536974ecbe03793a1aa21a212fb1cc27530477e32baf41d0c06

Malware Config

Extracted

Family

bitrat

Version

1.38

C2

oka.nerdpol.ovh:2223

Attributes
  • communication_password

    b6c6e855edf908ec7c12ce8c8e628a5c

  • tor_process

    tor

Targets

    • Target

      KPSFEGLI.EXE

    • Size

      820KB

    • MD5

      1573b52c2d0b3d410e73a3a1495565d0

    • SHA1

      c7f09d25eeda29012127e0511a361b73254d4170

    • SHA256

      f7548d3107c311afddf7827c19a4154bf0e9359cc294e9169042ccd3cc290227

    • SHA512

      fe8c7405d545e1dbadcdcd9fbec9f2496a654bfd4ee761f2a704265bbd0d65c88588930adac5e536974ecbe03793a1aa21a212fb1cc27530477e32baf41d0c06

    • BitRAT

      BitRAT is a remote access tool written in C++ and uses leaked source code from other families.

    • ModiLoader, DBatLoader

      ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

    • suricata: ET MALWARE Observed Malicious SSL Cert (BitRAT CnC)

      suricata: ET MALWARE Observed Malicious SSL Cert (BitRAT CnC)

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Adds Run key to start application

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks